Return a random URL-safe text string, containing nbytes random
bytes. The text is Base64 encoded, so on average each byte results
in approximately 1.3 characters. If nbytes is None or not
supplied, a reasonable default is used.

To be secure against
brute-force attacks,
tokens need to have sufficient randomness. Unfortunately, what is
considered sufficient will necessarily increase as computers get more
powerful and able to make more guesses in a shorter period. As of 2015,
it is believed that 32 bytes (256 bits) of randomness is sufficient for
the typical use-case expected for the secrets module.

For those who want to manage their own token length, you can explicitly
specify how much randomness is used for tokens by giving an int
argument to the various token_* functions. That argument is taken
as the number of bytes of randomness to use.

Otherwise, if no argument is provided, or if the argument is None,
the token_* functions will use a reasonable default instead.

Note

That default is subject to change at any time, including during
maintenance releases.

Applications should not
store passwords in a recoverable format,
whether plain text or encrypted. They should be salted and hashed
using a cryptographically-strong one-way (irreversible) hash function.

Generate a ten-character alphanumeric password with at least one
lowercase character, at least one uppercase character, and at least
three digits:

# On standard Linux systems, use a convenient dictionary file.# Other platforms may need to provide their own word-list.withopen('/usr/share/dict/words')asf:words=[word.strip()forwordinf]password=' '.join(choice(words)foriinrange(4))